Cyber Security Standards and Definitions are Required to Lift NSW Government’s Cyber Security Capability
It’s been said that you can’t improve what you can’t measure, and it holds just as true for cyber security standards measures.
Similarly, you can’t measure what you haven’t defined.
This is the stark reality of the NSW Government’s cyber security challenge that was highlighted within the recent NSW Auditor-General’s Report of Internal Controls and Governance.
And it is a challenge facing all levels of government across Australia, not just NSW.
The annual report is based on survey responses from 39 NSW agencies representing 95 percent of NSW expenditure.
It found a total of 8,503 attacks across the reporting cohort in 2016-17.
To put this in context, Macquarie Government identifies more attempted malware intrusions on our Federal Government Secure Internet Gateway in one day.
But even with the agencies’ reported 8,503 attacks, there is an anomaly that is difficult to understand.
Two agencies alone account for 7,040 attacks, and one third of agencies report no attacks.
While this is simply not credible, the report clearly states what is going on.
Comparing apples with apples
The agencies use their own definitions of a cyber-attack, and their own approaches to record and report attacks, leading the report to baldly conclude that ‘the number and nature of attacks is unknown’.
Can’t be much clearer than that.
The Federal government defines cyber-attack as ’a deliberate act through cyberspace to manipulate, disrupt, deny, degrade or destroy computers or networks, or the information resident on them, with the effect of seriously compromising national security, stability or prosperity.’
That definition is a little more complicated in practice than it might appear at face value.
While the definition excludes relatively unsophisticated incidents, malware such as phishing is often the vehicle to penetrate systems and launch attacks.
Baseline cyber hygiene
This is why a solid, clearly-defined foundation of “cyber hygiene” is so important. Effectively blocking spam from clogging up email inboxes not only assists productivity, but also is a crucial first-line defense against more dangerous traffic.
Agreeing on definitions applied across all government agencies is a starting point for a meaningful conversation about how we lift the whole-of-government cyber security capability.
We read a lot about highly sophisticated cyber-attacks and defences, cyber espionage and nation-on-nation attacks.
But consistent reporting against agreed definitions, establishing cyber security standards, and setting baseline compliance obligations will protect the nation from most threats.
The Australian Signals Directorate (ASD) has stated that the ASD Top 4 strategies to mitigate cyber intrusions, baseline strategies like patching applications and restricting admin privileges will block 85% of the intrusions ASD responds to.
The NSW CISO, Maria Milosavljevic, will no doubt make achieving this as a priority in her upcoming cyber security strategy.
It is incumbent on all of us with a role to play in cyber security to support Maria when the moment comes.